Overworked ICANN community “at breaking point”, Chehade warns

The volunteers that do the bulk of the policy-development work at ICANN are are suffering from “burnout” and are at “breaking point”, CEO Fadi Chehade said during the opening ceremony of the ICANN 52 public meeting in Singapore today.
“This community — we’re hearing this from many of your leaders — is reaching a bit of burnout. And we in the staff are responsible to support you better so that we can manage the workload that you’re all feeling,” Chehade said.
A session later today will demonstrate some of the tools and processes ICANN plans to put in place to alleviate the load, he said.
Much of the work in ICANN’s supporting organizations is done on a volunteer basis.
ICANN’s tendency to spawn new working groups, roles and committees on an almost fractal basis, and the relative lack of people willing to shoulder the burden of endless teleconferences and sprawling mailing lists, has long been an issue for the community.
Not only does ICANN have to do the work of making DNS policies, it also undergoes a permanent process of self-analysis and review, which eats up time. That has been especially pronounced as ICANN prepares for its probable transition away from US government oversight.
Chehade gave an example of a key community member who showed up uncomplainingly to an important meeting despite suffering a personal tragedy just a day earlier.
“This community is a very unique community. The volunteers that make up ICANN are essentially the spirit of ICANN,” Chehade said. “This is who we are. But this is the beauty of ICANN. This is what makes us very special, and I know that our volunteers are at break-point, but let me tell you, there is no better community.”

Human glitch lets hackers into ICANN

It’s 2014. Does anyone in the domain name business still fall for phishing attacks?
Apparently, yes, ICANN staff do.
ICANN has revealed that “several” staff members fell prey to a spear-phishing attack last month, resulting in the theft of potentially hundreds of user credentials and unauthorized access to at least one Governmental Advisory Committee web page.
According to ICANN, the phishers were able to gather the email passwords of staff members, then used them to access the Centralized Zone Data Service.
CZDS is the clearinghouse for all zone files belonging to new gTLD registries. The data it stores isn’t especially sensitive — the files are archives, not live, functional copies — and the barrier to signing up for access legitimately is pretty low.
But CZDS users’ contact information and login credentials — including, as a matter of disclosure, mine — were also accessed.
While the stolen passwords were encrypted, ICANN is still forcing all CZDS users to reset their passwords as a precaution. The organization said in a statement:

The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised.

As a victim, this doesn’t worry me a lot. My contact details are all in the public Whois and published on this very web site, but I can imagine other victims might not want their home address, phone number and the like in the hands of ne’er-do-wells.
It’s the second time CZDS has been compromised this year. Back in April, a coding error led to a privilege escalation vulnerability that was exploited to view requests by users to new gTLD registries.
Also accessed by the phishers this time around were several pages on the GAC wiki, which is about as interesting as it sounds (ie, not very). ICANN said the only non-public information that was viewed was a “members-only index page”.
User accounts on the ICANN blog and its Whois information portal were also accessed, but apparently no damage was caused.
In summary, the hackers seem to have stolen quite a lot of information they could have easily obtained legitimately, along with some passwords that may allow them to cause further mischief if they can be decrypted.
It’s embarrassing for ICANN, of course, especially for the staff members gullible enough to fall for the attack.
While the phishers made their emails appear to come from ICANN’s own domain, presumably their victims would have had to click through to a web page with a non-ICANN domain in the address bar order to hand over their passwords.
That’s not the kind of practice you’d expect from the people tasked with running the domain name industry.

As another group rejects proposal, is NETmundial stillborn?

The nascent NETmundial Initiative appears to be in dire straits already, just weeks into its existence, after another influential internet governance body decided against joining.
The Internet Architecture Board, which holds ultimate responsibility for the Request For Comment standards that help the internet remain interoperable, said yesterday that it will not join NetMundial, saying it is “not needed”.
The IAB’s rejection of the initiative follows that of the Internet Society, which said last month that the way NETmundial was being formed was not transparent, bottom-up or decentralized.
NETmundial is deliberately and self-consciously not related to domain names, which is why I’ve paid it scant attention recently, but I think it’s worth a mention because it is the brainchild in part of ICANN CEO Fadi Chehade and the subject of some discussion at ICANN meetings.
The idea behind the initiative is to create a policy body that can look at cross-border internet governance issues not already dealt with in fora such as ICANN or the IETF.
Chehade has been particularly enthusiastic about it as it could create a way to prevent special interests attempting to strong-arm ICANN, as the only “internet governance” entity out there with any real power, into making policies outside of its narrow remit.
The group was founded by ICANN, the government-linked Brazilian Internet Steering Committee and the World Economic Forum. Its name is borrowed from the NETmundial meeting, a policy talking shop that took place in Sao Paolo with the support of the Brazilian government this April.
But it’s come in for criticism for lacking true bottom-up organization.
The original plan was for a Coordinating Council to be created, comprising 20 people from four sectors and five geographic regions, to be selected by ICANN, the WEF and Brazil from a raft of self-nominated individuals.
There were to be another five permanent seats — three for the three organizers, one for the I* technical standards bodies and one for the Internet Governance Forum — but this was reportedly abandoned after ISOC expressed its disapproval of the plan.
Indeed, with the IGF also expressing misgivings about the Council’s make-up, there was the very real possibility of two of the five permanent seats sitting empty.
So far, just 10 days shy of the December 15 deadline, only 20 nominations have been received for the regular council. Four seats currently have no volunteers and four are contested by two people.
There hasn’t been much in the way of contributions to policy discussions either (though this is perhaps understandable for such a young initiative). So far, only two people have put forward ideas for discussion topics. On relates to brain-computer interfaces and the other to cyberbullying.

Community proposes way to replace US oversight of ICANN

The process of removing the US government from management of the DNS root system took a significant step forward today, with the publication of a community proposal for a transition.
The Cross Community Working Group, which convened itself earlier this year, has published a proposal to replace the US with a new contracting company and a bunch of committees.
The DNS community has been tasked with coming up with a way to transition stewardship of the IANA functions from the US National Telecommunications and Information administration, which said in March this year that it intends to relinquish its historic, but largely symbolic, Damoclean role.
After discussions which by any measure of ICANN policy-making have been forcibly swift, the 119-member CWG has now presented two broad options.
The first, a description of which forms the bulk of its report, would see ICANN overseen by a new, lightweight non-profit company managed by multi-stakeholder committees.
The other, which doesn’t get much airplay in the document, would see ICANN simply take over the NTIA’s responsibilities entirely. Accountability would be provided by enhanced accountability processes within the existing ICANN structure.
Under the primary proposal, the CWG was keen to avoid creating something ICANN-like to oversee ICANN, due to the complexity and cost, but it also decided that ICANN remains the best place to house the IANA function for the foreseeable future.
It’s proposed a new company, known currently as “Contract Co”, that would be replace the NTIA as the party that contracts with ICANN to run IANA. It would have “little or no staff”.
The contract itself would be developed and overseen by a Multistakeholder Review Team, comprising people drawn from each area of the ICANN community.
The precise make-up of this MRT is still open to discussion and will be, I suspect, the subject of some pretty fierce debate as the various competing interest groups wrestle to have themselves with the strongest possible representation.
Like the NTIA, the MRT would have the power to pick another entity to run IANA in future, should ICANN screw up.
A new Customer Standing Panel would comprise executives from gTLD and ccTLD registries — the “customers” of IANA’s naming functions — and would have the job of relaying the concerns of registries to the MRT, keeping ICANN accountable to its primary users.
Finally, there’d be an Independent Appeals Panel. Any IANA decision — presumably including the delegation or redelegation of a TLD — could be appealed to this IAP. This function would very probably be outsourced on a case-by-case basis to an existing arbitration body.
Is this worrying? Arbitration panels handling new gTLD disputes haven’t exactly inspired confidence in their ability to provide consistent — or even rational — decisions over the last year or so. Should the last word on what goes into or stays out of the DNS root really go to the same folk who think .通販 and .shop are too confusingly similar to coexist on the internet?
There doesn’t appear to be anything massively surprising in the proposal. When ICANN or its community try to solve a problem the answer is usually a new committee, and the ideas of MRTs, CSPs and IAPs do seem to mirror existing structures to an extent.
The whole thing can be downloaded and read over here.
There’s a December 22 deadline for comment. It will be submitted to the IANA Stewardship Transition Coordination Group by the end of January, with a view to getting a final proposal to the US government next summer in time for the hoped-for September 30 handover date.

ICANN meetings in for big shake-up, more dancing

Could you tolerate an eight-day ICANN meeting?
Could you get all your work done in just four days?
Would you be happy to wait up to nine months between Public Forums?
Do you want to see more regional dancing during ICANN opening ceremonies?
These are question you’re going to have to start asking yourself, because come 2016 ICANN meetings are in for a big change.
Recommendations adopted wholesale by the ICANN board last week would scrap the three six-day meetings schedule and replace it with one six-day meeting at the start of the year, one four-day meeting in the middle and one eight-day meeting towards the end.
The first of the year would be formatted pretty much the same as all meetings are currently.
The second, however, would scrap formalities such as the opening ceremony, as well as the Public Forum and public board meeting. Instead, the focus would be on policy development work within and between advisory committees and supporting organizations.
The final meeting of the year, the AGM, would add two extra days to the regular schedule for outreach sessions and SO/AC policy-making. There would be two Public Forum sessions, one immediately after the opening ceremony on day three, the other on day six as usual.
As this would be the official outreach “event” of the year, the opening ceremony would usually have some display of local culture, such as music or dance. That was once a staple of ICANN meetings, but we haven’t seen much of it the last couple of years.
The shake-up was recommended in a report published by the Meeting Strategy Working Group in February and adopted in its entirely by the ICANN board last week.
The third meeting of the year would be “would have a focus on showcasing ICANN’s work to a broader global audience”, according to the report. It would have an anticipated attendance of over 2,000 people and would therefore likely be held in a large hub city.
The smaller (it is anticipated) second meeting, with its reduced focus on formality and outreach, would (contrarily) be able to visit cities with smaller facilities, perhaps in parts of the world ICANN has not been able to visit before, the report says.
To be honest, I’m not really sure whether what’s been adopted will be any better than what’s in place today.
I’m pretty certain of one effect, however: if bombshells are dropped shortly after the first meeting of the year, you’re looking at somewhere between seven and nine months before you’ll be able to stand at a mic and yell at the ICANN board about it in public.

“Cyberflight” rules coming to UDRP next July

It will soon be much harder for cybersquatters to take flight to another registrar when they’re hit with a UDRP complaint.
From July 31 next year, all ICANN-accredited registrars will be contractually obliged to lock domain names that are subject to a UDRP and trademark owners will no longer have to tip off the registrant they’re targeting.
Many major registrars lock domain names under UDRP review already, but there’s no uniformity across the industry, either in terms of what a lock entails or when it is implemented. Under the amended UDRP policy, a “lock” is now defined as:

a set of measures that a registrar applies to a domain name, which prevents at a minimum any modification to the registrant and registrar information by the Respondent, but does not affect the resolution of the domain name or the renewal of the domain name.

Registrars will have two business days from the time they’re notified about the UDRP to put the lock in place.
Before the lock is active, the registrants themselves will not be aware they’ve been targeted by a complaint — registrars are banned from telling them and complainants no longer have to send them a copy of the complaint.
If the complaint is dismissed or withdrawn, registrars have one business day to remove the lock.
Because these change reduce the 20-day response window, registrants will be able to request an additional four calendar days (to account for weekends, I assume) to file their responses and the request will be automatically granted by the UDRP provider.
The new policy was brought in to stop “cyberflight”, a relatively rare tactic whereby cybersquatters transfer their domains to a new registrar to avoid losing their domains.
The policy was approved by the Generic Names Supporting Organization in August last year and approved by the ICANN board a month later. Since then, ICANN staff has been working on implementation.
The time from the first GNSO preliminary issue report (May 27, 2011) to full implementation of the policy (July 31, 2015) will be 1,526 days.
You can read a redlined version of the UDRP rules here (pdf).

Judge blocks seizure of Iran’s ccTLD

ICANN has won a court battle, and avoided a major political incident, over an attempt by terrorism victims to seize ccTLDs belonging to Iran, Korea and Syria.
A District of Columbia judge ruled this week that while ccTLDs may be a form of “property” under the law, they’re not “attachable” property.
Attachment is a legal concept used when creditors attempt to seize assets belonging to debtors.
The ruling overturns a request by a group of terrorism survivors, led by attorney Nitsana Darshan-Leitner, to have .ir, .sy, .kp, سور, and ايران. transferred to them in lieu of payment of previous court rulings.
Darshan-Leitner has previously secured US court judgments amounting to hundreds of millions of dollars against the three nations. Because the nations have not paid these penalties, she’s been using the courts to seize state-owned assets in the US instead.
But US District Judge Royce Lamberth ruled (pdf) earlier this week:

the country code Top Level Domain names at issue may not be attached in satisfaction of plaintiffs’ judgments because they are not property subject to attachment under District of Columbia law.

However, he added in a footnote:

But the conclusion that ccTLDs may not be attached in satisfaction of a judgment under District of Columbia law does not mean that they cannot be property. It simply means that they are not attachable property within this statutory scheme.

Drawing on “sparse” case law, Lamberth’s rationale appears to be that domain names are not a product, they’re a service. He wrote:

The ccTLDs exist only as they are made operational by the ccTLD managers that administer the registries of second level domains within them and by the parties that cause the ccTLDs to be listed on the root zone file. A ccTLD, like a domain name, cannot be conceptualized apart from the services provided by these parties. The Court cannot order plaintiffs’ insertion into this arrangement.

The ruling, which may of course be challenged by the plaintiffs, helps ICANN and the US government avoid a huge political embarrassment at a time when the links between the two are being dissolved and relations with Iran are defrosting.

Ebola 1 – ICANN 0 as Marrakech dumped for Singapore

Ebola has claimed its first Moroccan victim, in the form of ICANN 52.
The organization confirmed overnight that its next public meeting will not be held in Marrakech next February after all.
Instead, the ICANN community will head to Singapore, and the now-familiar halls of the Raffles Convention Center.
ICANN had previously said it was reconsidering Marrakech due to the worry of African travel restrictions in light of the Ebola virus, which has infected over 13,000 people in West Africa.
While Morocco, thousands of kilometers away, has not recorded any cases, there’s concern that large international gatherings, such as the African Cup of Nations or ICANN 52, could import the disease.
ICANN did not mention Ebola in its announcement today, however.
Instead, it said that is relocating the meeting to Singapore due to the overworked community’s desire to stick to its three-meetings-per-year schedule.
It will head to Marrakech in early 2016 instead.
The Singapore meeting will be held on the same dates — February 8 to 12 — at a location that will be familiar to regular ICANN travelers. ICANNs 41 and 49 have been held there in the last few years.

For only the second time, ICANN tells the GAC to get stuffed

ICANN’s board of directors has decided to formally disagree with its Governmental Advisory Committee for what I believe is only the second time in the organization’s history.
In a letter to new GAC chair Thomas Schneider today, ICANN chair Steve Crocker took issue with the fact that the GAC recently advised the board to cut the GNSO from a policy-making decision.
The letter kick-starts a formal “Consultation Procedure” in which the board and GAC try to reconcile their differences.
It’s only the second time, I believe, that this kind of procedure — which has been alluded to in the ICANN bylaws since the early days of the organization — has been invoked by the board.
The first time was in 2010, when the board initiated a consultation with the GAC when they disagreed about approval of the .xxx gTLD.
It was all a bit slapdash back then, but the procedure has since been formalized somewhat into a seven-step process that Crocker outlined in an attachment to his letter (pdf) today.
The actual substance of the disagreement is a bit “inside baseball”, relating to the long-running (embarrassing, time-wasting) saga over protection for Red Cross/Red Crescent names in new gTLDs.
Back in June at the ICANN 50 public meeting in London, the GAC issued advice stating:

the protections due to the Red Cross and Red Crescent terms and names should not be subjected to, or conditioned upon, a policy development process

A Policy Development Process is the mechanism through which the multi-stakeholder GNSO creates new ICANN policies. Generally, a PDP takes a really long time.
The GNSO had already finished a PDP that granted protection to the names of the Red Cross and Red Crescent in multiple scripts across all new gTLDs, but the GAC suddenly decided earlier this year that it wanted the names of 189 national Red Cross organizations protected too.
And it wasn’t prepared to wait for another PDP to get it.
So, in its haste to get its changing RC/RC demands met by ICANN, the GAC basically told ICANN’s board to ignore the GNSO.
That was obviously totally uncool — a slap in the face for the rest of the ICANN community and a bit of an admission that the GAC doesn’t like to play nicely in a multi-stakeholder context.
But it would also be, Crocker told Schneider today, a violation of ICANN’s bylaws:

The Board has concerns about the advice in the London Communiqué because it appears to be inconsistent with the framework established in the Bylaws granting the GNSO authority to recommend consensus policies to the Board, and the Board to appropriately act upon policies developed through the bottom-up consensus policy developed by the GNSO.

Now that Crocker has formally initiated the Consultation Procedure, the process now calls for a series of written and face-to-face interactions that could last as long as six months.
While the GAC may not be getting the speedy resolution it so wanted, the ICANN board’s New gTLD Program Committee has nevertheless already voted to give the Red Cross and Red Crescent the additional protections the GAC wanted, albeit only on a temporary basis.

Oops! Cock-up reveals ICANN survey respondent emails

An ICANN contractor accidentally revealed the email addresses of almost 100 people who responded to a survey related to a review of the Generic Names Supporting Organization.
An invitation to participate in a follow-up survey was sent out to respondents today with all the email addresses in the To:, rather than BCC:, field.
Westlake Governance, which is conducting the survey for ICANN, quickly sent an apology:

We have been sending invitations in batches, and regret that we included your address in the only set of invitations that was copied inadvertently in the “To” line as addressee, rather than as a “Bcc.”
We sincerely apologise for this breach of our internal protocols and potentially of your privacy.

The misfire revealed that 15 out of the 98 listed respondents have @icann.org email addresses, suggesting roughly 15% of the responses came from ICANN staffers.
While the survey certainly anticipated responses from within the organization — one question gives “staff” as an option for the respondent to state their affiliation — some are not happy anyway.
Neustar vice president Jeff Neuman tweeted:

Should #ICANN staff be providing feedback on GNSO review? I see value in that; but results should not be grouped in with other responses.

— Jeff Neuman (@jintlaw) November 1, 2014

The massive, 93-question survey (pdf) was designed to kick-start the next cycle in ICANN’s interminable reviews of its policy-making bodies, in this case the GNSO.
The results of the survey will be used to inform a review of the GNSO’s structure, which could potentially re-balance power within the organization.